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(54) Method and apparatus for elliptic curve cryptography and recording medium therefor 



(57) A method and an apparatus capable of realiz- 
ing at a high speed an elliptic curve cryptography in a 
finite field of characteristic 2, in which the elliptic curve 
is given by y^ + xy = + ax2 + b (b 0) and an elliptic 
curve cryptography method which can protect private 
key information against leaking from deviation informa- 
tion of processing time to thereby defend a cipher text 
against a timing attack and a differential power analysis 
(DPA) attack are provided. To this end, an arithmetic 
process for executing scalar multiplication arithmetic d 
(X, y) a constant number of times per bit of the private 
key d is adopted. Further, for the scalar multiplication d 
(X, y), a random number k is generated upon transfor- 
mation of the affine coordinates (x, y) to the projective 
coordinates for thereby effectuating the transformation 
(X, y) — ^ [kx, ky, k] or alternatively (x, y) -> [k^x, k^y, k]. 
Thus, object for the arithmetic is varied by the random 
number (k). 
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Description 

[0001] The present invention relates generally to a technique for ensuring security in a computer network. More 
particularly, the present invention is concerned with a method of realizing an elliptic curve cryptography (encryption/ 
5 decryption), an apparatus tor carrying out the nnethod and a recording medium for storing the same in the form of a 
program executable with a computer. 

[0002] The elliptic curve cryptography (encryption/decryption) is one of the public key cryptology algorithms invented 
by V. Miller and N. Koblitz independently As the postulation for the public-key cryptograph technology imposed from 
the viewpoint of security, discovery of a private key on the basis of the counterpart public key laid open to the general 

10 public must be made impossible in practice. On the other hand, the public key cryptosystem requires intrinsically a lot 
of time tor encryption and decryption when compared with the private key cryptosystem. Thus, in the present state of 
the art, there exists a great demand for a high-speed processing technique for enabling encryption and decryption in 
the public key cryptosystem. Under the circumstances, as the public key cryptograph technique which can satisfy both 
requirements for the security and the high-speed processing susceptibility which are, so to say, contradictory to each 

15 other, the elliptic curve cryptography which has more competence for dealing with the above problem than the RSA 
(Rivest, Shamir & Adieman) cryptography and the EIGamal cryptography both known heretofore is now attracting 
attention. 

[0003] The elliptic curve cryptograph can be represented by the standard form of an elliptic curve in a finite prime 
field, i.e., y^ = + ax + b (43^ + 27b^ ^ 0) or alternatively by the standard form of an elliptic curve in a finite field of 

20 characteristic 2 (which may also be referred to as the extension field of "2"). i.e., y2 + xy = x^ + ax^ + b (b ^ 0). By 
adding a point at infinity to the points on such curve, an Abelian group is made available. In this conjunction, the Abelian 
group arithmetic will be represented by plus sign {+). Further, in conjunction with the arithmetics for X and Y which 
differ from each other, "X + Y" will be referred to as the addition arithmetic. Furthermore, "X + X" will be referred to as 
the doubling arithmetic and represented by "2X". 

25 [0004] In order to facilitate computations involved in the elliptic curve cryptography, a point (X, Y) on an elliptic curve 
in the affine coordinate system may also be expressed in terms of the projective coordinates. At this juncture, let's 
suppose the projective coordinate system in which [X, Y, Z] = [^^x, Tt^Y, XL] applies valid for a given X^^O. Then, there 
can be established such correspondences between the affine coordinates and the projective coordinates as mentioned 
below. Namely, the affine coordinates (x, y) can be represented by the projective coordinates [x, y 1 ] while the projective 

30 coordinates [X, Y, Z] can be represented by the affine coordinates (X/(Z)2, Y/(Z)3). Further, in the projective coordinate 
system, it applies valid that -[X, Y, Z] = [X. -Y. Z]. 

[0005] In the elliptic curve cryptography, an elliptic curve in a finite field is made use of for making usable a set of 
points which constitutes a finite field of the elliptic curve. In this conjunction, the order of the elliptic cun/e is represented 
by a number of points of the elliptic curve. In the following, the result of addition of "P" s times, i.e., P + P + ... + P 
35 where the number of "P" is s, will be referred to as the s-multiplied point of "P". When the arithmetic for determining 
the s-multiplied point of P is represented by "sP", the order of the point "P" on the elliptic curve is given by n = 112 
which satisfies the conditions that nP = 0, 1 < m < n and mP ^ 0. 

[0006] The key for the elliptic curve cryptography is composed of an elliptic curve, a base point, a public key and a 
private key In more concrete, the key of the elliptic curve cryptograph is composed of coefficients a and b of the elliptic 

40 curve, the point P (base point) whose order is a prime number, a finite field element d (private key) and a point Q (public 
key) given by a product of the base point multiplied by the private key (i.e., Q = dp). Incidentally it is to be added that 
the elliptic curve, the base point and the public key are the laidnDpen information. Further, the public key and the private 
key assume respective values which differ from one to another user, while the elliptic curve and the base point assume 
respective values which are common to the users. 

45 [0007] In the elliptic cun/e cryptography, a scalar multiplication (sR) arithmetic for a given point R is adopted for the 
data encryption, generation of a digital signature and the verification of the digital signature. The scalar multiplication 
can be realized through combination of the addition arithmetic and the doubling arithmetic mentioned previously How- 
ever, computation for each of such addition arithmetic and doubling arithmetic necessarily requires execution of division 
arithmetic once. In general, division of the finite field takes lots of time. For this reason, efforts have heretofore been 

50 paid for establishing such a computation method which can avoid the division arithmetic. 

[0008] As an approach for evading the division of the finite fiekJ, addition arithmetic and doubling arithmetic in the 
projective space as well as expressions or formulae for realization thereof have already been proposed. For more 
particulars, reference should be made to D.V. Chudnovsky and G.V. Chudnovsky: "SEQUENCES OF NUMBERS GEN- 
ERATED BY ADDITION IN FORMAL GROUPS AND NEW PRIMALITY AND FACTORIZATION TESTS", Advances in 

55 Applied Mathematics, 7. 385-434. 19B6. In this conjunction, it is noted that the computation time taken for the prime 
field multiplication is ordinarily by far longer than that taken for the prime field addition/subtraction. Thus, the overall 
computation time or overhead can be evaluated on the basis of the number of arithmetic processes involved in the 
prime field multiplication. In that case, the addition arithmetic requires execution of the prime field multiplication (inclu- 
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sive o1 squaring arithmetic) sixteen times. In the doubling arithmetic, the prime field multiplication has to be performed 
ten times. For more particulars, reference is to be made to the literature cited above. Further, it is reported that for the 
coefficient a of the elliptic curve, residual multiplication arithmetic has to be performed eight times in the case where 
a = -3. 

5 [0009] Further, according to the teachings disclosed in P. Montgomery: "SPEEDING THE POLLARD AND ELLIPTIC 
CURVE METHODS OF FACTORIZATION", Mathematics of Computation Vol. 48, No. 177, pp. 243-264 (1987), it is 
reported that when the standard form of an elliptic curve in a finite prime field, i.e., By^ = + Ax^ + Bx, is employed 
for addition of points PO(xO, yO) and P1 (x1 , y1 ) as given by P3(x3, y3) and subtraction thereof as given by P4(x4, y4), 
i.e., when P1 + PO = P3 and PI - PO = P4, then x3 can be determined speedily from XO, x1, x4. In more concrete, it 

10 is reported that x3 can be determined by executing six times the prime field multiplication. Further, in the case where 
the double point of PI is given by P5(x5. y5), x5 can be determined only from x1 by performing multiplication five times. 
By taking advantage of this feature, x-coordinate of scalar multiple (scalar value d) of the point R can be determined 
from Rx in the manner described below. 

[0010] Presuming that the initial value is [R. 2R] and that mR represents the x-coordinate of the point R multiplied 
IS by m, the scalar value d is exploded or developed to a bit string in the binary notation. Then, starting from the most 
significant bit of d, it is validated that [mR, (m+i )R] [2mR, 2(m+1 )R] for the bit "0" of d. and [mR, (m+1 )R] [(2m+1 ) 
R. 2(m+1)R] for the bit "1" of d. where (m+1)R - mR = R and (m+1)R + mR = (2m+1)R. 

[001 1 ] In this manner, the scalar multiplication sP can be realized by performing the prime field multiplication (inclusive 
of squaring) ten times (6 + 5) for each bit. Hereinafter, the procedure or algorithm described above will be referred to 

20 as the Montgomery method. 

[0012] On the other hand, the standard form of an elliptic curve on the finite field of characteristic 2 (extension field 
of "2") is given by y^ + xy = x^ + ax^ + b (b 0). For such elliptic curve, the scalar multiplication arithmetic can be 
realized through combination of the addition arithmetic and the doubling arithmetic. Rules for the addition arithmetic 
and the doubling arithmetic are set forth in IEEE: P1 363/D2 "STANDARD SPECIFICATION FOR PUBLIC KEY CRYP- 

25 TOGRAPHY" (1 998). By resorting to the arithmetic in the finite field of characteristic 2 (extension field of "2"), squaring 
and addition/subtraction can be realized very speedily when compared with mutually different multiplications. Thus, 
the computation overhead involved in the arithmetics in the finite field of characteristic 2 can be evaluated by the 
number of times the mutually different multiplications are to be performed. The addition arithmetic requires execution 
of multiplication fifteen times while the doubling arithmetic requires execution of multiplication five times. However, it 

30 should be noted that in the elliptic curve cryptography based on the finite field of characteristic 2, no arithmetic algorithm 
is known in which the Montgomery method is resorted to. 

[0013] For the elliptic curve which can ensure security, it is necessary to set parameters a and b which allow the 
order #E(Fq) of the elliptic curve to have a large prime factor r. In the case where the order #E(Fq) of the elliptic curve 
is given by kr, the prime factor j; can assume a large prime number by selecting a small integer for k. As to the method 
35 of setting the parameters of the elliptic curve having a large prime factor r as the order, reference may be made to 
Henri Cohen: "A COURSE IN COMPUTATIONAL ALGEBRAIC NUMBER THEORY", GTM1 38, Springer (1 993) p. 464, 
Atkin's Test. 

[0014] Next, problems of cipher text attack and defense against the attack will be considered. In recent years, trials 
for attacking the cipher text as well as the measures for defending the cipher text against the attacks have been studied. 

40 More specifically, as to the attack on the cipher text, there can be mentioned in addition to the classical or theoretical 
cryptanalysis a differential power analysis (DPA in short) which tries to decode or decrypt the cipher text by processing 
statistically waveform representing current consumption, a timing attack trying to decode by analyzing statistically 
differences in the cipher processing time and others which rely on the analyses of leak information. Of course, the 
measures for defending the cipher against such attacks have also been developed. However, most of the defense 

45 measures have been realized primarily by physically incorporating the defense function in hardware circuit itself des- 
tined, for example, for IC cards. 

[0015] The conventional elliptic curve cryptographies described above suffer problems mentioned below. As is ap- 
parent from the foregoing, in the elliptic curve cryptography in the finite field of characteristic 2, there is known no 
arithmetic in which the Montgomery method is adopted. Further, in the studies concerning the elliptic curve cryptogra- 

50 phies, importance has been put primarily on the development of high-speed execution methods and generation of such 
elliptic curve which can ensure security as viewed from the standpoint of cryptanalysis. By contrast, no efforts have 
been paid to the development of defense technologies for defending the ciphers against the attack of the leak infor- 
mation analysis type. In the data decryption processing of the elliptic curve cryptology arithmetic operatbn for multi- 
plying a point (x. y) on a given elliptic curve by the private key d. i.e., D(x, y), is performed. In that case, deviation 

55 information of the private key d may possibly leak, being reflected in the consumed current waveform and the cipher 
processing time, which will give a clue to the differential power analysis (DPA) attack and the timing attack. 
[0016] In the light of the state of the art described above, preferably the present invention provides an elliptic curve 
cryptography method which is capable of realizing at a high speed the elliptic curve cryptography in a finite field of 
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rh«rartPriBtic 2 (or extension field of "2"), in which the elliptic curve is given by y2 + xy = x3 + ax2 + b {b * Oy 
jioi?l S thfpSem it is also contemplated to provide an apparatus for carrying out the method men- 

p'SSabTa second object of the present invention Is to provide an elliptic curve cryptography method which can 
Li^nt the nrivatrkev information f rom leaking in the form of deviation Infomiation of the processing time to thereby 
ren?the%TheMe1.'r9Lr^^^^ timing attach and the dmarential power analysis (DPA) attacK in the elliptic curve 

pXSn third object of the present invention is to provide a recording medium which stores the elliptic curve 
c^^toSphy method n the form of a program or programs which can be executed with a computer 
Si There is provided according to an aspect of the present invention a method of real.zing an eHipt^ curve c j- 
t^raiy in a^nite field of characteLic 2 (extension field of "2"), in which the elliptic curve .s given by y'- ^^ -J - 
X bThere b ^ 0) and in which addition of points PI (x1 , y1 ) and P2(x2, y2) on the elliptic curve connposed of poin s 
Sfined by individua coordinate components is presumed to be represented by P3(x3, y3) with sub ract,on of the points 
PI XI and P2(x2 y2) being presumed to be represented by P4(x4. y4). The cryptography method includes a step 
of inouttinq the coordinate component x1 . a step of transforming the inputted coordinate component x1 into X- and Z- 
cLTrSesTi S Of a projec^ve space, a step of storing the coordinates [X, , Z,] of the projective space, a step of 
trrnsforSVhe7ci>°^ x2 into coordinates [X^. Z^J o1 the projective space, a step o storing the pro- 

Secrrdinate^^^^^^^^ 

rpr,T:roTs!o^,ngteprcic.ecoo^^^^^^^^ 

" jirrisrsSteT^^^^^^^^^ 

S ioTci thrpSTl (x1 y1) is determined. Further, in a preferred mode for carrying out the present inve.it.on, the 

dinate component x3 from the stored projective coordinates [X,. Z,]. [Xg. Z^] and [X4, ZJ may include a substep ot 
2B rZauZa B- X Z,2 + X,Z,2 a substep of storing the computed B, a substep of deeding whether or not the stored 
B sTs ies co;iion thaf B = 0 a substep of outputting a point at infinity when B = 0 while arithmetically determining 
Z3 f Sunltss B = 0. a substep of storing the determined Z3. and a substep of arithmetically determining X3 = X.B^ 

methi which can positively prevent leakage of the pnvate key information from the deviation °^ 
prSSsing time in a decryflion processing of an elliptical curve cipher in the finite field ^^'^^^^'^^f ^^^^Jn other 
w^ds the D Tsent invention also provides a method of realizing an elliptic curve cryptography in a finite field of char- 
rctStr2r4nlionS^^ -a"), in which the elliptic curve is given by y^ . xy = x3 . ax^ . b and in which addition of 
00 n fpi (XI yl ) and P2(x2, y2) on the elliptic cun^e composed of points defined by individual coordjiate components 
rsTres-e^"- be represUt^^^ P3(x3, y3) with subtraction o, the points P1(x1. ^^^^"^^^^^^^^ 
o be represented by P4(x4. y4), the method including a step of inputting the coordinate component x1. a step o 
tranJfoS ^ti inpu«^ component x1 into X- and Z-coordinates [X, , Z,] of a projective -P^--..« ^'^P °< 

storinTthe ?oord nates [X„ Z,] of the projective space, a step of transforming the coordinate component x2 into coor- 
Tx 'S o"^^^^^^^ - ^»^P ^•^^ coordinates (X^. ZJ, a step of transforming the 

l^Si5ciponent'x4'into coordinates IX„ Z,] of the projective space, a step of f ^'"9 

IX Z 1 a step of determining projective coordinates [X3. Z3] from the stored projective coordinates [X, Z,], [Xg, Z2] 
Lnd fx ' ZJ a sVep of transforming the projective coordinates IX3. Z3] into the coordinate component x3, and a step 
^ outputSg the coordinate component x3, wherein the cryptography method further ncludes a step of 9--^^^^ ^ 
Ldom r^umber k a step of storing the generated random number k, and a step of performing arithmetic operation on 
tCdTv^a^-^rlate components of'the projective space and the stored random --^^^^f ^f^^ 
nf the X coordinate component to the projective coordinates, to thereby derive projective coordinates |k2x, kj. In o her 
words t^rmenofTa'^^^^^^^^ the object for the arithmetic ^ the finite field of characteristic 2 (extension field 

r^oSir preferred mode for carrying out the present invention, the elliptic curve '^^^'^^^^fl'^^'^'^'^^. 
Sde a stTp of generating a random number k. a step of storing the generated random number Ij, and a step o^ 
Lriormfng arrthr^^^^^ operaL on the indMdual coordinate components of the projective space and the stored random 
JuleT^aS the transformation of the x-coordinate component to the projective coordinates, to thereby derive pro- 

'^Ifrthftor earning out the elliptic curve cryptography methods described above, there is provided acco^ng 
toiler a^ect of the present invention, an arithmetic apparatus for realizing an ellptic curve cryptog j^^hy in a fmrte 
fieW of characteristic 2 (extension field of "2"), in which the elliptic cun/e is given by y2 + xy = x3 + ax^ + b. which 
SpaStusTdidi a fandom number generation module for generating a random number k. a projective coordinate 
traSorma^^^^^^^^ module receiving'as inputs thereto the coordinate xO in the finite field of charactenst.c 2 and the 
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random number k to thereby transform the coordinate xO into projective coordinates [kxO, k] = [X^, Z-,], a doubling 
arithmetic module for arithmetically determining a double point trom the projective coordinates [X^, Z^], an addition 
arithmetic module for determining an addition point from the projective coordinate [X^ , Z^] to output the addition point, 
and a scalar multiplication module which receives as inputs thereto informatbn from the projective coordinate trans- 
5 formation module, the doubling arithmetic module and the addition arithmetic module to thereby determine scalar 
multiplication of the coordinate component xO. 

[0022] Furthermore, there is provided according to a mentioned previously, there is provided according to a further 
aspect of the present invention a recording medium which stores therein a cryptography method of realizing an elliptic 
curve cryptography in a finite field of characteristic 2 (extension field of "2"), in which the elliptic curve is given by y^ + 

10 xy = + ax2 + b and in which addition of points P1(x1, y1 ) and P2(x2, y2) on the elliptic curve composed of points 
defined by individual coordinate components is presumed to be represented by P3(x3, y3) with subtraction of the points 
PI (x1 , y1 ) and P2(x2, y2) being presumed to be represented by P4(x4, y4). the program comprising a step of inputting 
the coordinate component x1 , a step of transforming the inputted coordinate component x1 into X- and 2-coordinates 
[X^^ , Zil of a projective space, a step of storing the coordinates {X■^, Z-,] of the projective space, a step of transforming 

IS the coordinate component x2 into coordinates [Xg. Z2] of the projective space, a step of storing the projective coordinates 
[Xg, Zg], a step of transforming the coordinate component x4 into coordinates [X4. Z4] of the projective space, a step 
of storing the projective coordinates [X4, ZJ. a step of determining projective coordinates [X3. Z3] from the stored 
projective coordinates [X^, Z^]. [Xg. Zg] and [X4, ZJ, a step of transforming the projective coordinates [X3. Z3] into the 
coordinate component x3, and a step of outputting the coordinate component x3, whereby scalar multiplication of the 

20 point PI (x1 . y1 ) is determined. 

[0023] The method of realizing the elliptic curve cryptography in the finite field of characteristic 2 mentioned previously 
can effectively be employed as the measures for preventing leakage of the private key information from the deviation 
information of the processing time for decrypting an elliptic curve cipher text on a prime field. To this end, according to 
still further aspect of the present invention, there may be adopted a combination of the arithmetics (a) and (b) mentioned 

25 below. 



(a) In the case where the standard form of an elliptic curve in a prime field is given by By2 = x^ + Ax^ + Bx, the 
scalar multiplication algorithm according to the Montgomery method is adopted for determining the scalar multi- 
plication d(x, y) of the elliptic curve. 
30 (b) In conjunction with computation for scalar multiplication d(x, y), a random number k is generated upon trans- 

formation of the affine coordinates (x. y) into the projective coordinates for thereby effectuate the transformation 
(x, y) [kx, ky k] or (x, y) -> [k^x. k^y k]. 

[0024] By virtue of the method mentioned above, the object for arithmetic in the prime field can constantly be varied 
35 by the random number. 

[0025] Other objects, features and advantages of the present invention will become apparent from the following 
detailed description of the preferred or exemplary embodiments taken in conjunction with the accompanying drawings. 



40 



BRIEF DESCRIPTION OF THE DRAWINGS 

[0026] In the course of the description which follows, reference is made to the drawings, in which: 



Fig. 1 is a functional block diagram for illustrating processing flows in an elliptic curve cryptograph system according 
to an embodiment of the present invention; 
^s Fig. 2 is a flow chart for illustrating a part of a scalar multiplication procedure adopted in the elliptic curve cryptog- 

raphy according to a first embodiment of the present invention; 

Fig. 3 is a flow chart for illustrating the other part of the scalar multiplication procedure mentioned just above; 
Fig. 4 is a flow chart for illustrating an addition procedure adopted in the elliptic curve cryptography according to 
the first embodiment of the present inventbn; 
5^ Fig. 5 is a flow chart for illustrating a doubling arithmetic procedure adopted in the elliptic curve cryptography 

according to the first embodiment of the present invention; 

Fig. 6 is a flow chart for illustrating a part of a scalar multiplication procedure in the elliptic curve cryptography 
according to a second embodiment of the present invention; 

Fig. 7 is a flow chart for illustrating the other part of the procedure mentioned just above; 
55 Fig. 8 is a flow chart for illustrating an addition procedure in the elliptic curve cryptography according to the second 

embodiment of the invention; 

Fig. 9 is a functional block diagram showing schematically a structure of the elliptic curve arithmetic unit of the 
elliptic curve cryptograph apparatus according to a sixth embodiment of the present invention; 
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Fig. 10 is a block diagram showing a general configuration of an elliptic curve cryptograph systenn to which the 
present invention can be applied; 

Fig. 11 A is a flow chart for illustrating a part of a scalar multiplication procedure in which Montgomery method is 
adopted according to a third embodiment ot the present Invention; 

Fig. 11B Is a flow chart lor illustrating the other part ot the scalar multiplication procedure mentioned just above; 
Fig. 12A is flow chart for illustrating a part of a scalar multiplication procedure according to a fourth embodiment 
of the present invention; 

Fig. 12B is flow chart for illustrating the other part of the scalar multiplication procedure mentioned just above; 
Fig. 13 is a flow chart for illustrating an addition procedure according to the fourth embodiment of the present 
invention; 

Fig. 14 is a flow chart for illustrating a doubling method according to the fourth embodiment of the invention; 
Figs. 1 5A and 1 5B are a flow chart for illustrating a scalar multiplication procedure according to a fifth embodiment 
of the present invention; 

Fig. 16 is a flow chart for illustrating an addition procedure according to the fifth embodiment of the present inven- 
tion. 

DESCRIPTION OF THE EMBODIMENTS 

[0027] Nov/, the present invention will be described in detail in conjunction with what is presently considered as 
preferred or typical embodiments thereof by reference to the drawings. 

General description 

[0028] First mentioned below are arithmetic algorithm or rules tor an elliptic curve of the standard form y2 + xy = 
+ ax^ + b (b ?t 0) in a finite field of characteristic 2 of the affine coordinate system. 

1) 0 + 0 = 0 

2) (X, y) + 0 = (X. y) 

3) (X, y) + (X, X + y) = 0 

4) Commutativity 

(xO. yO) + (x1 . y1 ) = (XI , y 1 ) + (xO. yO) 



5) Addition arithmetic 

(x2, y2)= (x1,y1) + (xO, yO) 

x2 = a + + >t + xO + x1 ; y2 ?i(x1 + x2) + x2 + y1 ; 
X = (yO + y1)/(xO + x1) 



6) Doubling arithmetic 

(x2. y2) = (XI, y1) + (x1, y1) = 2(x1, yl) 
x2 = a + + >.; y2 = >.(x1 + x2) + x2 + y 1 ; X = x1 + (yl/xl ) or x2 = (x1 f + b/(xl f 

In order to facilitate the computation for the elliptic curve such as mentioned above, points (X, Y) on the elliptic curve 
in the affine coordinate system may be transformed to the points expressed in terms of the projective coordinates. At 
this juncture, let's suppose such projective coordinate system in which [X, Y, Z] = [k^X, X^V, XZ] applies valid for a given 
X 9t 0. Then! correspondence can be established between the affine coordinates and the projective coordinates as 
mentioned below. Namely, the affine coordinates (x, y) can be expressed by the projective coordinates [x, y. 1] while 
the projective coordinates [X, Y, Z] can be expressed by the affine coordinates (X/(Z)2, Y/(Z)3). Further, in the projective 
coordinate system, it applies valid that -[X, Y, Z] = [X, XZ+Y, Z]. 

[0029] Now, the concept underlying the present invention will be described by reference to the drawings. 
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[0030] Figure 10 is a block diagram showing a general configuration of an elliptic curve encryption system to which 
the present invention can be applied. Referring to the figure, reference numeral 1001 denotes an input/output interface 
for an Input device such as a keyboard and/or the like for inputting plain texts to be encrypted and tor an output device 
such a display, a printer and/or the like lor outputting plain texts resulting from descryption. The interlace 1001 may 

s include a storage unit such as a memory or the like for storing the plain text. For encrypting the plain text as inputted 
through the input/output interface, there is provided an encrypting module 1002 which is so designed as to receive as 
the inputs thereto an elliptic curve generated by an elliptic curve generating module 1003 and keys from a public key/ 
private key generating module 1004. At this juncture, it is to be mentioned that the public key and the encryption key 
are combined in a pair, wherein which of these keys is to be made available for the encrypting module 1002 or the 

10 decrypting module 1006 depends on the practical application for which the cryptography system is employed, i.e.. 
whether the cryptography system is employed, for example, for the privacy communication or for the signature/authen- 
tication communication. The cipher text resulting from the encryption is sent out through the medium of an intercon- 
nection interface 1005. The decrypting module 1006 is designed to decrypt the cipher text into a plain text. 
[0031] Figure 1 is afunctional block diagram for illustrating processing flows in an elliptic curve encryption system 

IS according to an embodiment of the present invention. Incidentally, It should be mentioned that the elliptic curve en- 
cryption system according to the present invention may be provided in the form of software programmed for executing 
the elliptic curve cryptography. In that case, the software may be installed in an appropriate information processing 
apparatus from a recording medium such as a CD-ROM. FD or the like. Referring to Fig. 1 , the elliptic curve used for 
the elliptic curve cryptography is generated by the elliptic curve generating module designated by 101 in this figure. 

20 The elliptic curve generated by the elliptic curve generating module 101 is inputted to the public key/private key gen- 
erating module 102 which responds thereto by generating a public key 115 and a private key 116 on the basis of the 
elliptic curve as Inputted. The encrypting module 103 receives as inputs thereto data of the plain text 113, the public 
key 115 and the elliptic curve to thereby output a cipher text 112. On the other hand, the decrypting module 104 Is 
designed to receive as inputs thereto the cipher text 112, the private key 116 and the elliptic curve to thereby output a 

25 plain text 114. Needless to say, the plain text 114 outputted from the decrypting module 104 is same as the plain text 
113 mentioned previously. 

[0032] The elliptic curve generating module 101 is designed to generate the elliptic curve in accordance with a 
processing procedure described below. Through a primitive polynomial setting process or submodule 105, a primitive 
polynomial f(x) in a prime field Fg is set. Such primitive polynomial in the prime field Fg is described, for example, in 
30 A. Menezes. P. Oorschot and S. Vanstone: "HANDBOOK OF APPLIED CRYPTOGRAPHY", CRC Press, Section 4.5.3 
Primitive Polynomials (1996). 

[0033] In an elliptic curve parameter setting step or submodule 106, parameters a and b for the elliptic curve y^ + xy 
= x^ + ax^ + b defined on the basis of a finite field Fq of characteristic 2 (which may also be referred to as the extension 
field of "2") are set. For the elliptic curve which can ensure security, it is necessary that the order #E(Fq) of the elliptic 

35 curve has a large prime factor r. In the case where #E(Fq) = kr applies valid, the prime factor r can assume a large 
prime number by selecting a small integer for k. Parenthetically, concerning the method of generating an elliptic curve 
having a large prime factor r as the order reference may be made to Henri Cohen: "A COURSE IN COMPUTATIONAL 
ALGEBRAIC NUMBER THEORY", GTM138, Springer (1993) p. 464, Atkin's Test. At this juncture, it should however 
be mentioned that the elliptic-curve primitive polynomial setting method can equally be realized by resorting to other 

40 elliptic curve the order of which has a large prime factor. 

[0034] A base point generating submodule 107 is designed to determine a generator of a cycling subgroup having 
the prime factor r mentioned above as the order In the Abelian group on the elliptic curve. By way of example, in the 
case where #E(Fq) = kr applies valid, a given point (x1 . y1) on the elliptic curve E(Fq) in the finite field of characteristic 
2 is determined in a first step. Subsequently, in a second step, G = (x1 , y1) is set as the base point on the conditions 

45 that r(x1 ,y1 ) = 0 and when k(x1 , y1 ) 0. Otherwise, the first step mentioned just above is resumed. 

[0035] At this juncture, it is to be noted that the expression r(x1, y1) means execution of the scalar multiplication 
(multiplication byjor r-multiplication) for the point (x1, y1). Incidentally the arithmetic for the scalar multiplication (r- 
multiplication) will be elucidated later on in conjunction with the elliptic curve arithmetic submodule 109. 
[0036] Through the procedure described above, the primitive polynomial f(x), the parameters a and b of the elliptic 

so curve y^ + xy = x^ + ax^ + b. the base point G and the order r of the base point have been generated which are the 
information destined to be laid open for the general public. 

[0037] The public key/private key generating module 102 is designed to generate the public key and the private key 
in accordance with the procedure described below. On the presumption that the primitive polynomial f(x), the param- 
eters a and b of the elliptic curve y2 + xy = + ax^ + b and the base point G are inputted to the public key/private key 
55 generating module 1 02 and that a public key Q and a private key d are outputted therefrom, a random number which 
satisfies the condition that 2 < d < r-1 is generated in a first step, whereon the public key Q = dG, i.e.; a scalar multi- 
plication (d-multiplication) of the base point G is determined. 

[0038] The public key is the Information to be laid open to the general public while the private key represents the 
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intormation to be secreted. The problem of determining the private key d on the basis o1 the public key Q and the base 
point G is what is known as the discrete logarithm problem and requires for the solution thereof such an amount of 
computation which is on the exponential order o1 bit-length of the base point on the elliptic curve. Consequent^ in 
case the order r is a large prime number, e.g. when the prime factor r is greater than the 1 59-th power of 2 , it is the 
s impossible in practice to determine the private key d from the public key Q and the base point G. This is the pmc.ple 
underlying the elliptic curve cryptography In this conjunction, the method of arithmetically ^ff;"^;""]9j^^^P"^^^^^ 
Q is knovm in the art as disclosed, for example, in D.V. Chudnovsky and G.V. Chudnovsky: "SEQUENCES OF NUM- 
BERS GENERATED BY ADDITION IN FORMAL GROUPS AND NEW PRIMALITY AND FACTORIZATION TESTS'. 
Advances in Applied Mathematics, 7, 385-434, 1986. .i,^ 
10 [0039] in the encrypting module 103, the plaintext 113 is translated to the cipher text 112 ,n accordance with the 
procedure which will be described below. On the presumption that a plain text M, the public key Q, the pnmrt.ve poly- 
nomial f (X). the parameter b of the elliptic curve y2 + xy = x3 + ax^ + b and the base point G are inputted to the enc^^pting 
module 103 and that a cipher text C is outputted therefrom, a random number k is generated in a first step by the 
random number generating submodule 108, whereon in the second step, the base point G and the random number k 
15 generated in the first step undergo arithmetic operation for determining kG. i.e.. (kxl , kyl). in the elliptic cun/e arrthme ic 
submodule 1 09. In a third step, the public key Q and the random numberjs generated in the first step undergo arithmetic 
operation for determining kO. i.e.. (kx2. ky2) in the elliptic curve arithmetic submodule 109 In a fourth step. a"thnne,'c 
operation M xor X2 is executed in the data encryption processing submodule 110. the result of which is set as M \n 
a fifth step, arithmetic operation x1 || y1 H M" is executed, as a result of whbh the cipher text C is outputted from the 

20 data encryption submodule 110. ,>,dx -^.m ^.i^w 

r00401 The elliptic curve arithmetic submodule 1 09 is designed to execute a scalar multiplication (kR) arithmetic for 
a given point R to thereby determine the x-ooordinate. Owing to such arrangement, the private key information can be 
protected against leakage from deviation (difference) information of the processing time or period for the decryption 
of the elliptic cun/e cipher text in the finite field of characteristic 2. In the following, the scalar multiplication method will 
25 be elucidated. 

Scalar multiplication method according to first e mbodiment 

[0041] Figure 2 and 3 in combination illustrate in a flow chart the scalar multiplication method according to a first 
30 embodiment of the present invention. n ^ i 

[00421 It is presumed that a projective coordinate component Xq of the x-coordinate of a given point R and a scalar 
value m are inputted and that a projective coordinate component X„ of the x-coordinate of a point corresponding to 
m-muiuple of R is to be outputted. On this assumption, the scalar value m and the projective coordinate component 
of the x-coordinate are inputted (step 202). In the succeeding steps 203 to 205. data stirring is performed by mul- 
tiplying the individual projective coordinates by the random number More specifically, the random number k is gener- 
ated in the step 203, whereon k2Xo is arithmetically determined by multiplying the projective coordinate component Xo 
bv the random number k and assigned to X, in the step 204 while the random number k itself is assigned to Z, in the 
step 205 In succeeding steps 206 to 208 and 301 , preparation is made for the scalar multiplication. In more concrete, 
rx, Z,l is assigned to [X4. Z4I in the step 206, being followed by the step 206 where [X,. Z,] is inputted to the doubling 
pri;;ess (illustrated in Fig. 5). the output of which is then assigned to [X^, Z,] in the step 207^ Further in a step 208, 
The scalar value m is transformed to a binary bit string hfx-,,...Uo, where the most significant bit h^ is 1 and thus 1 
is assigned to i in a step 301 shown in Fig. 3. Through processing steps 302 to 309 (see Fig. 3). the addition rnethod 
and the doubling method are controlled In dependence on whether one bit of the scalar value m is 0 or 1 to thereby 
realize the scalar multiplication. More specifically, "i-l" is assigned to i in the step 302, which is followed by the step 
303 where [X, Z,], [Xp. Zg] and [X4. Z4] are inputted to the addition process (illustrated in Fig. 4). the output of which 
is assigned to [X3. Z3I in the step 303. At this juncture, when h, == 0 (i.e.. when the step 304 results in affirmation 
•Yes") the processing proceeds to the step 305 while it proceeds to the step 307 when h, == 1 . i.e.. when the decision 
step 304 results in negation "No". In the step 305, [X„ Z,] is inputted to the doubling arithmetic or process (Fig. 5), the 
output from which is assigned to [X„ Z,]. In the step 306, [X3, Z3] is assigned to IX2. Z2]. whereon the Processing 
proceeds to the step 309. On the other hand, when the decision step 304 results in 'No". [X2. Zg] is inputted to the 
doubling arithmetic or process illustrated in Fig. 5. the output of which is assigned to [X2. Zg] (step 307). In the step 
308 IX, Z3] is assigned to [K„ Z,], whereupon the processing proceeds to the step 309. In the case where 1 > 0 i.e., 
the step 309 results in "Yes", when the step 302 is resumed. If otherwise, i.e., when the decision step 309 results in 
•No" the processing proceeds to a step 310. Subsequently, the projective coordinates are transformed to the x-coor- 
dinate of the (X, y) coordinate system. Finally, X,/(Z,)^ is assigned to the projective coordinate component X„ (step 
310) to be ultimately outputted (step 311). ,u« „,„™»k,«» 

[00431 Next description will be directed to the addition method or arithmetic. It is presumed that as the projecUve 
space coordinates of a point on the elliptic curve, it applies valid that [X. Y. Z] = [X^x, X^Y, ^] for a given X ^ 0. At this 



35 



40 



45 



50 



55 



OKtorw^iPk -co 



EP 1 014 617 A2 

juncture, let's consider the points PO = (xO, yO) = [Xq, Yq, Zq] and P1 = (x1 , y 1 ) = [X^ , , Z-,] as the points on the elliptic 
curve. Additionally, it is presumed that the sum of the points PO and PI and the difference therebetween are given by 
P3 = (x3. y3) = (X3. Y3. Z3] and PA = (x4. y4) = [X4, Y4, Z4], respectively. 
[0044] Expressing mathematically, 

5 

P1 + PO = P3. 
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PI - PO = P4, 



x3 = a + (^3)^ + X3 + xO + x1 ; X3 = (yO + y1)/(xO + x1 ), 



x4 = a + {X^f + + xO + x1 ; = (xO + yO +y1 )/(xO + x1), 



X3 + X4 = (x0)/(x0 + x1), 

(;^3)^ + (X^f = (xof I (xO + x1)^, and 

x3 + x4 = ((xO)^ + {xO)(xO + xl)) / (xO + xl)^ 
= (xO xl) / (xO + xl)2. 

From the above, the following relation can be derived. 

x3 + x4 = (xOx1)/(xO + x1)^ (1) 
[0045] Subsequently, relations in the projective coordinate system are derived. 

[0046] Replacing "xl " and "xO" In the expression (1) by "xl = Xi/(Zi)2" and "xO = Xo/(Zo)2", respectively, then 

Xj/CZj)^ = X,/(2J^+ ((Xo/(Zo)^)(X,/(Z,)2))/(Xo/(Zo)2 + 
X,/(Z,)^)^ 

= X,/(Zj2 + ((X^,(Zo)2)(X,(Z,)2))/(Xo(Z,)2 + X,(Zo)2)2 
,5 = ((X^P^) + (XoZo^)(XiZi2))/(Z^2p2j 

where p = XoZ^^ + X^Zo^. 

[0047] From the above expression, there can be derived: 

50 

X3 = X^p^ ^ (XqZ^^) (X^Zo^) (2) 
Z3 = Z4p (3) 

55 

[0048] On the presumption that mR = [X^ . Y^ . ZJ, (m + 1 )R = [X2. Y2. Z2]. R = [X4. Y4. Z4] and (2m + 1 )R = [X3, Y3. 
.Z3], the addition arithmetic will be elucidated below. 
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Addition methcxi according to firs t embodiment 

[0049] Figure 4 is a flow chart for illustrating the addition method according to the first embodiment P^^-^;^; 
nvemion The projective coordinates [X, . Z,], [X^. Zg] and [X4, Z4] are inputted, whereby coordinates X3, Zg] or a point 
Lt .nfintty is output ed. Thus, the projective coordinates [X, , Z,l [X,. Z,] and (X^. Z,] are inputted .n a ^ «P ^^^Th-^S^ 
t^essZs in steps 403 to 407 X, (Z^)^ + X,(Z,)2 is detemiined for making decision whether or not the resul of the 
Sr^^Ltc represents the ^oint at inlnit;. Interim results S„ and B provide preparation for the reahzat.on 
oUhVexpressions (2) and (3) mentioned above. More specifically. K,{Z^f is assigned to S, .n the step 403 and X^ 
?Z ?is Ts^gned to £ in the step 404 whereupon S, . is assigned to B in the step 405. When B == 0 m the step 
Si (i e wZ the decision step S06 results in "Yes"), the processing proceeds to the step 407. II otherw.se (..e.. when 
J?e deJistonTn the step 406 results in "No"), the processing proceeds to the step 408. In the step 407, the po.nt at 
» is outiutted. Whereon the processing comes to an end (step 413). Through the processing steps 408 to 411 
Txel'ted When the decision step 406 results in "No", the coordinates [X3. Z3) ^^^f l'"! ir408 and (Z^S S 
expressions (2) and (3) mentioned hereinbefore, in more concrete. Z,B ,s assigned to Z3 in the step 408 and (Z4) S, 
Ts assSL to S in tl^ie step 409 with X^B^ being assigned to M in the 410, whereupon M S 'S assigned to X3 in the 
4?rand rxl Z3] is outputted inThe step 41 2. Through the procedure described above, the additK>n arrthme k= 
in be leaTzei by seLuple multiplications of the mutually different variables. In other words, X3can be arithmetically 

'.^TuT^escrlC'^^^^^^^ method. Let's represent a double point of the point P1 by P2 and 

Sesle^raTpf= (xT y ) = [X,, Y,. Z,], and that P2 = (x2. y2) = (X,, Y„ Z,]. The doubling expression .s given by x2 
= {xl7! Sl)2. Accordingly: ty placing x1 = X,/(Z,)2 and x2 = X^(Za)^ in the doubling expressK>n as follows. 

X^/{Z^)^ = (X,/(Z,)2)2 ^ b/(X,/(Z,)2)2 
= Xi2/(Z,)* + (b(Z,)*)/(X,)2 
= (X,* + b(Z,)^)/(Xi2Zi') 



there can be derived the following relations. 



x,.x;.bz,« w 



7 _ V z 2 (5) 

[00511 The doubling method based on the expressions mentioned above will be described. 
Doubling method according to fi rst embodiment 

r00521 Figure 5 is as flow chart for illustrating the doubling method according to the first embodiment of the present 
llnReferringtothefigure, it is presumed thatQ = [X,,Z^ 

Z ZnX at infinity is to be outputted. In a step 502, X, and Z, are inputted. In the succeeding steps 503 and 504, 
the point at * ^ __ ^ __ ^ j ^^ij^ o^der to make decision as to whether the doubling 

arireti^reTu; i: h p^i attSity-Nalfy ^hen X, 0 or Z, 0 in the step 503 (i.e., v^en the decision step 
S3Tesufts!n "Yes"), the processing proceeds to the step 504. If otherwise (i.e. . when the decis«n step 503 resute in 
•NO") t^^^^^^^ proceeds to a s?ep 505. In the step 504, the point at infinity is outputted In the succeeding steps 

505 tV507The ci,rSinates [X„ Z,] are determined in accordance with expressions (4) and (5) menttoned previously 
More soec fically in the step 505. Z,^ is assigned to S. In the step 506, X,S is assigned to Z^. In the step 507, X, 
Sts assigned to X, (step 507). In the step 508, the coordinates [X^. Z,\ are outputted. Through the procedure 
discribe?above the addition arithmetic can be realized by executing twice the munpllcation of mutually different 
variables Accordingly in the scalar multiplication method, the addition arithmetic can be realized by executing (6 + 2 
IT) 'mes the r^^^^^^^^^^^ of mutually different variables per bit of the scalar value d. In other words, the projective 
coordinate X, can be arithmetically determined very speedily from X^, Xg and X4. , ^ „ , th« 

1^3] Now turning back to Fig. 1. the decrypting module 104 is designed to transfomi the cipher text 112 into the 
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original plain text 1 1 4 through the procedure described below. Of course, the cipher text 112 and the plain text 1 1 4 are 
same with regard to the content. On the presumption that the cipher text C 4- x1||y1||M', private key d, primitive poly- 
nomial f (X), parameter b of the elliptic curve y^ + xy = x^ + ax^ + b and the base point G are inputted, whereby the plain 
text M is outputted, the following steps are executed. 

5 

step 1: (x2, y2) d(xl, yl) (by the data decryption processing submodule 111) 
step 2: plain text M M' xor x2 

[0054] The step 1 can be executed in accordance with the procedure described hereinbefore by reference to Figs. 
10 2 and 3. 

[0055] Through the procedure described above, determination of the x-coordinate equivalent to the scalar (d) mul- 
tiplication of given coordinates (x, y) can be realized by executing eight-tuple mutually different multiplication process- 
ings for each bit of d independent of the bit pattern thereof. Furthermore, by setting for the given x-coordlnate of d as 
the initial value for the scalar multiplications [kx^, k] where k represents a random number, object for the arithmetic can 

15 constantly be varied. Additionally, owing to combination of the procedures described in the foregoing, no bit pattern of 
d can make appearance in the deviation (difference) of the d(x, y)-processing time, which in turn means that any private 
key information can be protected against leakage in terms of the deviation Information of the d(x, y)-processing time. 
In addition, this feature indicates that in the DPA (Differential Power Analysis) for realizing the cryptanalysis by making 
use of deviations of current, voltage, electric power for the encryption processing as well, the private key information 

20 is protected against leakage in terms of the deviation information of the current, voltage or electric power for the d(x, 
y) processing. 

[0056] Next, description will be made of a second embodiment of the invention which can further speed up the 
arithmetic operations involved In the elliptic curve cryptography when compared with the first embodiment described 
above. Representing the cooi-dinate transformation from the affine coordinates to the projective coordinates by (x, y) 
25 [X, y, 1], it can apply valid that Z4 = 1. By placing Z4 = 1 in the expressions (2) and (3), there can be derived the 
following expressions: 
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X3 = (X^) + (Xo(Z, )^)(Xo(Z, f) (6) 



Z3 = P (7) 



[0057] By making use of the above expressions, the scalar multiplication method and the addition method can be 
carried out in the manners described below. 

Scalar multiplication method according to second embodiment 



[0058] Figures 6 and 7 in combination Illustrate in a flow chart, a processing procedure for the scalar multiplication 
method according to the second embodiment of the present invention. It is presumed that a projective coordinate 
component Xq of the x-coordinate of a given point R and a scalar value m are inputted for thereby outputting a projective 
coordinate component X^, of the x-coordinate of a point corresponding to m-multiplication or m-tuple of R. To this end, 
the scalar value m and the projective coordinate component Xq of the x-coordinate are inputted in the step 602. In the 
succeeding steps 603 and 604, transformation of Xq to the projective coordinate is performed. More specifically, in the 
step 603, Xq is assigned to X-,. In the step 604, "1" is assigned to Z^. In the processing steps 605 to 607, preparation 
is made for the scalar multiplication. In more concrete, coordinates [Xt, Z^] are assigned to [X4, Z4] in the step 605 to 
thereby allow [X^, Z^] to be inputted to the doubling arithmetic (Fig. 5), the output of which is assigned to [X2, Z2I in 
the step 606. In the step 607, hihi.i...hQ are set as the binary bit string representing the scalar value m. in which the 
most significant bit h^ is "1 and thus "1 ■ is assigned to j in a step 701 shown in Fig. 7 In the succeeding processing 
steps 702 to 709, the addition method and the doubling method are controlled in dependence on whether one bit of 
the scalar value m is "0" or M", to thereby determine the scalar multiplication. More specifically in the step 702. "1-1" 
is assigned to j while in the step 703. [Xi. Z^], [Xg. Z2] and Xq are inputted to the addition method (Fig. 8), the output 
of which is assigned to IX3, Z3]. When hj — 0 (i.e., when the decision step 704 results in affirmation "Yes"), the process- 
ing proceeds to the step 705 while it proceeds to the step 707 when hj == 1 , i.e., when the decision step 704 results 
in negation "No". In the step 705, (X^ . Zi ] is inputted to the doubling method (Fig. 5). the output from which is assigned 
to [X^, Z^]. In the succeeding step 706, [X3. Z3] is assigned to [X2, Z2], whereupon the processing proceeds to the step 
709. On the other hand, in the step 707, [X2, Z2] is inputted to the doubling method (Fig. 5). the output of which is 



11 



BNSDOCID:<EP 1014617A2 I > 



EP 1 014 617 A2 



assigned to [X,. Z,). In the succeeding step 708, [X3. Z3I is assigned to [X, Z,]. wher^-JP^" J^^^ ^^^^J^ fn'eO 
putted. 

Addition method according to secon d embodiment 
t00S9, Pi9ureBisaf,owc.art.oMnustratlngthe^^^^^^^^^^ 

It is presumed that the projective coordinates [X, . Z , inputted n a step B02. 

at infinity is to be outputted. Thus, the P^^^ ^'J^^^^^^^^^ .ak^g decision whether 

Through the processings in subsequent steps 803 to 807 , X^ (Z2) + Agl^n ) is ^ H orovide oreoaration for 

or not the resu« of the addition represents the point at infinity. Intennn resutts S, S, and ^ P °^'^f P^^^f^^^^^^^^^^ 
realization of the expressions (6) and i^)roeo.o...p..^u^^^ ^rsTS^^^^^^^^^ 

Qin Y 7 2 assianed to M In the step 811 , M + S is assigned to Xj. Finally, in the step 81 2, [X3, Zgj is ouipuneo 
foLwh 'oS ?hr^ described above, the addition arithmetic can be realized by executing four times the 

ITr^^^ZTparZZ^^nv it should be added that the doubling arithmetic according to the second embodiment of 

to the elliptic curve in the finite field of characteristic 2 (extension field of 2 Hir^rtPri to a method 

roo621 Next description will be made of a third embodiment of the present invention which is directed to a method 
Tpre enlg ieaige onhe private Key information from the deviation 
theMontgor^erymethodonthepresumptionthauhe^^^^^^^ 

[0063] AS is disclosed in P -^ontgomery^ SPEEDING THE ^^'-'^f ^64 ( °B7)^^^^^ that the addition of points 
TORIZATION", Mathematics of Compulation Vol. 48, No. 177, pp. h y 

PO(xO. yO) and Pi (xl . y 1 ) and the substraction therebetween are given by. 



P3 (x3. y3); P4 (x4, y4); 



PI + PO = P3; 



PI - PO = P4; 

/2 



thPn x3 can soeedilv be determined from xO. xl and x4 by resorting to the elliptic curve of the standard form By 
= x3 fex in thTpnl field " more concrete, x3 can be determined by performing six times the mult.pl.cat.ons 
of the prime field as follows: 

Presuming that 

(x3, y3) [X3,Z3] and that (x4, y4) Z^]. 



then 

X3 ^ Z^l(X, - Z,) (Xo + Zq) + (X, + Z,) (Xq - Zo)f , 



EP 1 014 617 A2 

and 

Z3 ^ ^4[(>^i - ) (Xo + Zq) - (X, + )(Xo - Zo)f . 
[0064] Further, tor the doubling arithmetic, expressions mentioned below apply valid: 

P5 = 2Pl;(x1,y1)->[X^,ZJ; 

4X,Z,.^ (X, +Z,)^-(X, -Z,)^ 

,5 X5 ^ (X^ + Z,)^Xi - ; Z5 ^ (4X,Z,)[(X, - Z^f + ((A + 2)/4)(4X,Z, )] 

[0065] Furthermore, when the double point of P1 is given by P5(x5, y5), then x5 can be determined only from x1 by 
executing relevant multiplication five times. By taking advantage of this feature, the x-coordinate of scalar multiple 
(scalar value d) of the point R can be determined from Rx, as follows. 
20 [0066] Presuming that the initial value is given by [R, 2R1 and that mR represents the x-coordinate of m multiplication 
of the point R, the scalar value d is developed to the binary bit string. Then, starting from the most significant bit of d, 
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[mR, (m+1 )R] ^ [2mR, 2(m+1 )R] for the bit of d = "0", 

and 

[mR, (m+1 )R] -> [(2m+1 )R, 2(m+1 )R] tor the bit of d = "1 " 

[0067] Hence 

(m+1 )R - mR = R, and 

(m+1 )R + mR = (2m+1 )R. 
Scalar multiplication method according to third embodiment 

[0068] Figures 11 A and 1 1 B are flow charts for illustrating the scalar multiplication method in which the Montgomery 
method is adopted according to the third embodiment of the present invention. Referring to the figures, it is presumed 
that a projective coordinate component Xq of the x-coordinate of a given point R and a scalar value m are inputted and 
that a projective coordinate component X^ of the x-coordinate of a point corresponding to m-multiplication of R is to 
be outputted. To this end, the scalar value m and the projective coordinate component Xq of the x-coordinate are 
inputted in the step 1102 shown in Fig. 11 A. In the succeeding steps 11 03 to 1105, data is stirred through multiplication 
of the individual coordinates in the projective coordinate system by the random number. More specifically, the random 
number k is generated in the step 1103, whereon kXo is determined by multiplying the projective coordinate component 
Xq of the x-coordinate by the random number k, and then kX^ is assigned to X^ in the step 1104 while the random 
number k being assigned to Z^ in the step 1105. In succession, [X^, Z^] is assigned to [X4, ZJ (step 1106). Subsequently, 
[X.,, Z^J is inputted to the doubling method (i.e., Montgomery's doubling arithmetic), the output of which is assigned to 
[X2. Z2I (step 1107). Further, the scalar value m is transformed to the binary bit string hjhj.i...ho (step 1108), where the 
most significant bit h-, is "1". Thus "1" is assigned toj in the step 1109 shown in Fig. 118. In a succeeding step 1110. 
"i-V is assigned to ], which is then followed by a step 1111 where [X-,, Z^], [X2. Z2] and [X4, ZJ are inputted to the 
addition method (Montgomery's addition arithmetic), the output of which is assigned to [X3, Z3] (step 1111). When hj 
~ 0 in the step 1112 (i.e., when the decision step 1112 results in affirmation "Yes"), the processing proceeds to a step 
1113 while it proceeds to a step 1115 when hj ~ 1, i.e., when the decision step 1112 results in negation "No". In the 
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steo 1113 shown in Fiq 11 B IXi, ZJ is inputted to the doubling nnethod (Montgonfiery's doubling arithmetic), the output 
from which is assigned to [X, , Z,]. In the succeeding step 1114, IX3, Z3] is assigned to [X^. Z^] whereon the Processmg 
pS^eeds to a step 1117. On the other hand, when the decision step 1112 results in -No". [X^, Z^] is inputted to the 
doubling method (Montgomery's doubling arithmetic), the output of which is assigned to [X2. Z^] (step 1115). Further. 
[X3 Z3HS assigned Xo[X,. Z,] in the step 1116. whereupon the processing proceeds to a step 1117. In the case where 
i > 0 I e the step 1117 results in "Yes', the step 1 110 is resumed. If otherwise, i.e . when the decision step 1117 results 
in "No" the processing proceeds to a step 11 1 B where X,/(Zi) is assigned to the projective coordinate component X^ 
to be ultimately outputted in the step 1119. whereupon the processing comes to an end (step 1120). 
r00691 Throuqh the procedure described above, determination of the x-coordinate corresponding to the scalar (d) 
multiplication of a given coordinate (x. y) can be realized by executing eleven times the mutually dmerent mult.phcatK.ns 
for each bit of d. Furthermore, by setting for the given x-coordinate the initial value for scalar multiplication [kx. k] where 
k represents a"random number, the private key information can be protected against leakage in terms of the deviation 
information of the d(x, y) processing time. In addition, thisfeature indicates that for the DPA (Differential Power Analysis) 
trial for performing the cryptanalysis by making use of deviation information concerning the of current, voltage, elec ric 
power for the encryption processing, the private key information can be protected against leakage in temis of the 
deviation information of the current (voltage, electric power) involved in processing d(x. y). 
r0070] Furthermore, for the elliptic curve y2 = x3 + ax + b in the prime field, an elliptic cun/e may be constituted such 
that the Abellan group defined by the ratbnal points between By^ = x3 + Ax^ Bx and y2 = x3 + ax + b is same, whereon 
the coordinates (x. y) given by the elliptic curve y2 = x3 + ax + b in the prime field Is transfornned to By2 = x j- Ax Bx^ 
20 to thereby determine the scalar multiplication through the procedure described hereinbefore, the result of which is then 

[oT7T'"Next des'criptTorwm be directed to a fourth embodiment of the present invention^ln the case of the elliptic 
curve cryptography according to the first embodiment of the invention, it has been presumed that [X. Y. Z] = [X^X X Y. 
}J^ applies valid for the given projective coordinate > * 0. However, the teachings of the present invention can also be 
25 implemented with the projective coordinate system in which [X. Y Z] = [XX, XY, XZ] applies valid. 

Scalar multiplication method according to fourth e mbodiment 

r00721 Figures 1 2A and 1 28 are flow charts for illustrating the scalar multiplication method according to the fourth 
embodiment of the present invention. Referring to the figures, it is presumed that a projective coordinate component 
Xn of the x-coordinate of a given point R and a scalar value m are inputted and that a projective coordinate componen 
X of the x-coordinate of a point corresponding to m-multiplication of R (i.e.. the point corresponding to the product o 
m"'and R) is 10 be outputted. On the presumption, the scalar value m and the projective coordinate component Xq of 
x-coordinate are inputted in the step 1202 shown in Fig. 12A. In the succeeding steps 1203 to 1205 date is starred 
through multiplication of the individual projective coordinates by the random number More specifically, the random 
number k is generated in the step 1 203, whereon kXo is determined by multiplying the projective coordinate component 
Xo of tn; x-coordinate by the random number k, and then kXo is assigned to X, in the step 1204 while the random 
number k itself being assigned to Z, in the step 1205. In succession, [X^. Z,] is assigned to [X4. ^] step 206 . 
Subsequ'ently, [X,. Z,] is inputted to the doubling arithmetic, the output 0I which is assigned to [Xg. Zg] (step 1207) 
Further the scalar value m is transformed to the binary bit string h,h,i ...ho (step 1 208), where the most significant bit 
h is "1" Thus -r is assiined to i in the step 1209 shown in Fig. 12B. In a succeeding step 1210, "i-1" is assigned to 
i which is then followed by a step 1011 where [X,. Z,]. [X^. Z^] and [X,, Z,] are inputted to the addition artthmetic the 
output of which is assigned to [X3. Z3]. When h, == "0" in the step 1212 (i.e., when the decision step 1212 results in 
affirmation "Yes"), the processing proceeds to a step 1213 while it proceeds to a step 1215 when h^ == 1 ^ i.e.. when 
45 the decision step 1 21 2 results in negation "No". In the step 1 21 3 shown in Fig 1 2B, [X,. Z,] is inputted to the doubling 
arithmetic, the output from which is assigned to [X, . Z,]. In the succeeding step 1214. (X3, Z3] is assigned to [Xg. Z^], 
whereon the processing proceeds to a step 1 217. On the other hand, when the decision step 1212 results No [Xa, 
Z,l is inputted to the doubling arithmetic, the output of which is assigned to [X2, ZJ (step 1215). Further. IX3, Z3] is 
assigned to [X,, Z,] in the step 1216, whereupon the processing proceeds to a step 1217. In the case where 1 > 0 1. 
so e when the step 1217 results in "Yes", the step 1210 is resumed. If othenwise. i.e., when the decision step 1217 results 
in "No" the processing proceeds to a step 1218 where X,/(Zi) Is assigned to the projective coordinate component X„ 
to be ultimately outputted in the step 1 21 9, whereupon the processing comes to an end (step 1 220). 
[0073] It is presumed that in conjunction with the projective space coordinate of a point on the elliptic cun/e, it applies 
valid that [X Y Z] = [Xx XY XZ] for a given X^O.M this juncture, lefs consider points PC = (xO, yO) = [Xq, Yq, Zq] and 
55 PI = (XI v1 ') = rXi Y, Z,l as the points on the elliptic curve. Additionally, it is presumed that the sum and the difference 
of the points PO and PI are given by PS = (x3. y3) = 1X3. Y3. Z3] and P4 = (x4. y4) = [X4. Y4, Z4], respectively 
[0074] Namely, 
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PI + PO = P3. and 



^ P1 . PO = P4 

[0075] Subsequently, relations in the projective coordinate system are derived from the expression (1) mentioned 
hereinbefore in conjunction with the first embodiment of the invention, i.e., x3 + x4 = (xO x1 ) / (xO + x^)^. 
[0076] Replacing xl and xO appearing in the expression (1) by X^/Zi and Xq/Zq. respectively, then 

10 

X3/Z3 = Xyz^ + ((Xo/Zo)(X,/Z,))/(Xo/Z(, + X,/Z,)2 
= Xyz^ + ((XoZo)(X,Z,))/(XoZ, + X,Zo)2 

15 

= ((X,a2) + (XqZo) (X^Z^) )/{Z^ti2j 

where p = X^Z-, + X^Zq. 
20 [0077] From the above expression, there can be derived: 

X^ = X^f +Z^(X^Z,){X,Zq) (2)' 

25 2 

23 = ^4? (3)' 

[0078] On the presumption that mR = [X^. Y^, Z^], (m + 1)R = [Xg. Yg, Z2], R = [X4. Y4. Z4] and (2m + 1)R = [X3, Yg, 
Z3], an addition method according to the fourth embodiment of the present invention will be elucidated below. 

30 

Addition method according to fourth embodiment 

[0079] Figure 1 3 is a flow chart for illustrating an addition method according to the fourth embodiment of the present 
invention. It is assumed that projective coordinates [X^ , Z-,], [X2, Z2] and [X4, Z4] are inputted, whereby [X3, Z3] or the 
3S point at infinity is outputted. Thus^ projective coordinates (X^, Z^], [X2, Z2] and [X4, Z4] are inputted In a step 1302. 
Subsequently, X-,Z2 is assigned to in a step 1 303. Further, XgZ^ is assigned to Sg in a step 1 304, whereon S-, + S2 
is assigned to B in a step 1305. When B == 0 in a step 1306 (i.e., when decision in the step 1306 results in "Yes"), the 
processing proceeds to a step 1 307. If otherwise (i.e., when the decision in the step 1 306 results in "No), the processing 
proceeds to a step 1 308. In the step 1307, the point at infinity is outputted, and then a step 1313 is executed. On the 
other hand, when the decision step 1306 results in "No", Z^B^ is assigned to Z3 in a step 1308. Further, (Z4)2StS2 is 
assigned to S in a step 1309, Subsequently, X^B^ is assigned to M in a step 1 310 while M + S is assigned to X3 in a 
step 1311, whereon [X3, Z3] is outputted in a step 1312. 

[0080] Through the procedure described above, the addition arithmetic can be realized by executing six times the 
multiplication of mutually different variables. 
45 [0081] Next, description will turn to the doubling method. Let's represent a double point of PI by P2 and presume 
that Pi = (xl, y1) = [X^. Y^. Z^] and P2 = (x2, y2) = [Xg. Y2, Z2]. The doubling expression is given by x2 = (x1)2 + b/ 
(xl )2. Accordingly, in the doubling arithmetic formulae x2 = (xl )2 + b/(x1 )2, xl is replaced by X^/Z^ with x2 being replaced 
by Xg/Zg. 
[0082] Namely. 

50 

X2/Z2 = (X/Z^)2 + b/(X/Z^)2 

= V/(Z,)2 + (bZ,2)/(X,)2 
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[0083] Thus, there can be derived the following relations. 



Z, = X,^Z,2 (5) 



[0084] The doubling method based on the expressions mentioned above will be described below 
Doubling method according to fourth em bodiment 

roOSSl Figure14isaflowchartforillustratingadoublingmethodaccordingtothefourthembodimentoftheinvent^^^^^ 
ns o esumed that Q = [X,. Z,] and b are inputted lor thereby outputting 2Q = [X^, Z^] or the po.nt at .nf.nrty. More 
V^cSy X, 2 ] and b ^re inputted in a step t402. When X, == 0 or Z, == 0 (i.e.. when the ^-^^ '"J'^aj^^P 
1^3 2s in "^^^^^ th^ processing proceeds to a step 1404. If otherwise (i.e.. when the dec,s,on step 1403 results 
n^Mo-) the processing pr^eeds to'he step 1405. In the step 1404, the point at infinity Is ou.putted. -'-P^^f^ 
Z 2 irissianed to Z, Tn the step 1406. X^^S is assigned to S. In the step 1407, X/ -k bS .s assigned to X^, which ,s 
fhenfXrdb^^^^^^ 

can be realized by executing twice the multiplication of mutually different variables. 

through the procedure described above, determination of the x-coordinate corresponding to the sea lar (d) 
r^SicJion of given coordinates (x, y) can be realized by executing eight times the multiplication processing for each 
^, ! d Furt^^more bv setting [kx kl lor the given x^oordinate as the initial value for the scalar multiplication, where 
k epfesen^rran'om n the private key information can be protected against leakage in terms of the deviation 

fnSfon onhe d(x y) processing time. Further, this feature indicates that in the DPA (Ditferent.al Power Analysis) 
lol^^^Slhe c^ptanaVsis, the private key informatbn can also be prevented from leakage as the devafon (or 
differenced information of the current (voltage, electric power) involved in the processing of d(x. y). 
S.08T Net description will be directed to a f«th embodiment of the present invention. In ^^^e case of 
crvDtoaraDhv according to the second embodiment of the invention, it has been presumed that [X, Y. Z] - [X^X X Y. 
,I^Z^eTJ^°oX! given proiective coordinate . . 0. However, the teachings of the present invention can also be 
miremented with the projective coordinate system in which [X, Y Z] = [XX, XX ^ applies vahd. 
[0088] When the transformation from the affine coordinates to the pro)ect.ve coordinates can be given by (x, y) ^ 
[X, y, 1), then it applies valid that Z4 = 1. 

35 Scalar multitalication method accord ing to fifth embodiment 

[0089] Figures 15A and 15B are flow charts for illustrating the scalar multiplication method according to the mth 
ernbodiment of the present invention. Referring to the figures, it is presumed that a projective coordinate component 
rof^TxScSrdinme of a given point R and a scalar value m are inputted and that a projective coordina e componen 
.0 ? otThe x-^rd^te of a point corresponding to m-multiplication of R (i.e.. the point corresponding to the product o 
m ^d R) is t^be outputted On the presumptton. the scalar value m and the projective coordinate component X^ of 
Se^ cSrdir^ate are inputted in the step 1 502 shown in Fig. 1 5A. Xo is assigned to X, in the step 1 504. In a succeeding 
s'eo 15^5 -r is assigned to Z,. In succession, [X„ Z,] is assigned to [X4. ZJ in a step 1506. Subsequently [X^, Z,] 
tnV^ed to the doubling arith^metio, the output o, which is assigned to tX. Z,] (step 1 507). Further, t e scalar value 
45 ro is transformed to the binary bit string hih^ -ho (step 1508), where the most significant bit h, is 1 ; J^^s^ J 

as^qned to i in the step 1 509 shown in Fig. 1 5B. In a succeeding step 1 51 0, VI " is assigned to .. which is then followed 
blTstep °i 1 v^ere [X, ZA. [X^, Z,] and Z, are inputted to the addition arithmetic, the output of which is assigned 
?o rx Z 1 Whe^h "0" n the stip 1 51 2 (i.e. when thedeclsion step 1 512 resuHs in affirmatton 'Yes-), the processing 
Sedito a strp'l513 while it proceeds to a step 1 515 when h. =- "1", i.e.. when the decision step 1512 results in 
BO n^aSn'Uo- In the step 1513 shown in Fig, 15B, [X, . Z,] is inputted to the doubling arithmetic, the output from which 
i Sanedto fx" Z,] In the succeeding step 1514, IX3. Z3I is assigned to [X,, Z,l whereon the processing proceeds 
Z :7:p1sTont other hand, when the decision step 1512 resu«s in "No", [X,, Z,] is inputted to the doubling 
arithmetic the output of which is assigned to [X^, Z,] (step 151 5). Further, [X3. Z3] is assigned to [X,. fil ^^e^t^P 
1516 hereupon ttie processing proceeds to the step 1517. When i > 0 in the step 1517, i.e., when the step 1517 
55 esltTs- t^e^ep 1 510 is resumed. If othenvise. i.e. . when the decision step 1 51 7 results in "No" the processing 
proceeds to a step 15^8 where X,/(Z,) is assigned to the projective coordinate component X„ which ,s ultimately 
outputted in the step 151 9. whereupon the processing comes to an end (step 1 520). 
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Addition method according to fifth embcxjinnent 

[0090] Figure 16 is a flow chart for illustrating an addition method according to the fifth embodiment of the present 
invention. It is assumed that projective coordinates [X^, Z^]. [Xg, Z2] and X4 are inputted, whereby [X3, Z3] or the point 

5 at infinity is outputted. Thus, projective coordinates [X^ , Z,], [Xg, Zg) and X4 are inputted in a step 1 602. In the succeeding 
step 1603. X^Zg is assigned to S^. Further, X2Z1 is assigned to S2 in a step 1604 with 5-, + S2 being assigned to 6 in 
a step 1 605. When B == 0 in a step 1606 (i.e.. when decision in the step 1606 results in "Yes"), the processing proceeds 
to a step 1607. If otherwise (i.e., when decision in the step 1606 results in "No), the processing proceeds to a step 
1608. In the step 1607, the point at infinity is outputted, whereon an end step 1613 is executed. On the other hand, 

10 unless B = 0 in the step 1606, B^ is assigned to Z3. In the succeeding step 1608, S1S2 is assigned to S. Further, {X^Z^) 
is assigned to M in a step 1610 while M + S is assigned to X3 in a step 1611. Finally, [X3, Z3] is outputted in a step 
1612. Through the procedure described above, the addition arithmetic can be realized by executing four limes the 
multiplication of mutually different variables. Parenthetically, as the doubling arithmetic according to the instant em- 
bodiment of the invention, the doubling arithmetic described hereinbefore can be adopted. Additionally, the method 

ts incarnated in the instant embodiment can also find application not only to the arithmetic with the elliptic curve in the 
finite field of characteristic 2 but also to the arithmetic with the elliptic curve in the prime field. 

Sixth embodiment 

20 [0091] Next, description will be made of the elliptic curve arithmetic unit according to a sixth embodiment of the 
present invention . Figure 9 is a functional block diagram showing schematically a structure of the elliptic curve arithmetic 
unit according to the sixth embodiment of the present invention. In the figure, reference numeral 901 denotes generally 
an elliptic curve arithmetic unit which corresponds to the one shown in Fig. 1 and designated by the reference numeral 
109. Referring to Fig. 9, inputted to the elliptic curve arithmetic unit 901 are x-coordinate Xq of a given point, a scalar 

25 value m and a parameter b of the elliptic curve of the standard form given by y2 + xy = x^ + ax^ + b in the finite field of 
characteristic 2 (extension field of "2"). as indicated by an arrow 902, whereby x-coordinate X^ of a point corresponding 
to m-multiplication of above-mentioned given point is outputted from the elliptic curve arithmetic unit 901 , as indicated 
by an arrow 903. At this juncture, it should however be mentioned that although the instant embodiment of the invention 
is described in conjunction with the elliptic curve in the finite field of characteristic 2, the invention can equally be 

30 implemented with the elliptic curve in the prime field. 

[0092] The elliptic curve arithmetic unit 901 includes a random number generation module 904 for generating a 
random number k to be outputted, as indicated by an arrow 905. The random number k generated by the random 
number generation module 904 is inputted to a projective coordinate transformation module 906 together with the x- 
coordinate Xq, the scalar value m and the parameter b although they are not shown in Fig. 9, to be thereby transformed 

35 to the projective coordinates [kXo, k]: which is then assigned to [X^, Z^j. The projective coordinate [X-,, Z^] and the 
scalar value m are inputted to a scalar multiplication module 908, whereby a point given by [X-, , Z^] multiplied by m is 
determined. Thus, the x-coordinate X^^ of the point as determined is outputted from the scalar multiplication module 
908. In the scalar multiplication module 908, [X^, Z^] is first assigned to [X4, Z4] which may be previously stored in a 
memory incorporated, for example, in the scalar multiplication module. Further, the projective coordinates [X^, Z-,] are 

40 supplied to a doubling arithmetic module 91 3 for determining a double point [X2, Z2]. Subsequently, m is developed to 
a binary bit string. Every time the bit assumes "0", starting from the more significant bit, [X^, Z^] is supplied to the 
doubling arithmetic module 913, whereon the double point outputted from the doubling arithmetic module 913 is as- 
signed to [X^, Z^j. Subsequently, projective coordinates [X^, Z,], [X2; Z2] and [X4. Z4] are inputted to an addition arith- 
metic module 910, and the addition point outputted from the addition arithmetic module 910 Is assigned to [X2, Z2]. On 

45 the other hand, when the bit is "1 the projective coordinates [X2. Z2] are outputted to the doubling arithmetic module 
91 3, whereon the double point outputted from the doubling arithmetic module 91 3 is assigned to [X2. Z2]. Subsequently, 
the projective coordinates [X^, Z^], [Xg, Z2] and [X4, Z4] are inputted to the addition arithmetic module 910, and the 
addition point outputted from the addition arithmetic module 910 is assigned to [X,, Z^]. Thus, there is derived the X^- 
coordinate of the m-tuple poirit. 

60 [0093] Inputted to the addition arithmetic module 910 is [X-,, Z^], [Xg. Z2], [X4, Z4] for arithmetically determining [X3, 
Z3] which satisfies the conditions that [X3, Z3] = [X2, Z2] + [X^ , Z^] and that [X4, Z4I = [X2. Zg] - [X^ . Zi]. The coordinates 
[X3, Z3] are then outputted from the addition arithmetic module 910. 

[0094] More specifically, assigning arithmetics <- X^Z^^, <r- and B <- S-, + 82 are first executed. When 

B == 0, the point at infinity is outputted, whereupon the processing comes to an end. Unless B = 0, assigning arithmetics 
55 Z3 <r- Z4B, S 4- Z42S1S2, X4Z32 and X3 M -1- S are executed. 

[0095] Inputted to the doubling arithmetic module 91 3 are [X^ , Z^] and b for arithmetically determining the coordinates 
[X2, Z2] which satisfy the conditions that [X2, Z2] = [X,, Z^] + [X^, Z^]. The coordinates [X2, Z2] are then outputted from 
the doubling arithmetic module 91 3. In the case where X^ == 0 or Z^ == 0. the point at infinity is outputted. If otherwise, 
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assigning arithmetics S 4- 2^2. Zs^X^S and X2^X/ + b(S)4 are executed. 

r0096] in the case of the embodiment described above, it has been assumed that the x-coordinate Xq is transformed 
to the projective coordinates [kXo. k]. However, it goes without saying that the teachings of the present invention can 
equally be applied to the transformation of the x-coordinate Xq to the projective coordinates [k2Xo. k]. 
r00971 Finally it should be added that the methods according to the embodiments of the invention described in the 
foregoing can be stored in a recording medium in the form of a program or programs executable with a computer 
without departing from the spirit and scope of the present invention. 

r00981 As will be appreciated from the foregoing description, the elliptic curve encryption processing can be executed 
at a significantly increased speed according to the teachings of the invention when compared with the conventional 
crvptoqraph technologies. Furthermore, by virtue of such arrangement that the processing time for d(x. y) does not 
depend on the bit pattern of d in realization of the elliptic curve cryptography, the private key information can be protected 
against leakage from or in terms of the deviation information. 

[00991 Many modifications and variations of the present invention are possible in the light of the above techniques. 
It is therefore to be understood that within the scope of the appended claims, the invention may be practiced otherwise 
than as specifically described. 



Claims 



1 A method of implementing an elliptic curve cryptography in a finite field of characteristic 2 (or an extension field of 
-2"> in which said elliptic curve is given by y2 + xy = x3 + ax^ + b and in which x and y are variables in an x-y 
coordinate system, a and b are parameters, addition of points P1(x1, y1) and P2(x2, y2) on said elliptic cun/e 
composed of points defined by individual coordinate components is presumed to be represented by P3(x3, y3) 
with subtraction of said points P1(x1. y1) and P2(x2, y2) being presumed to be represented by P4(x4, y4), com- 
prising the steps of: 

inputting the coordinate component x1 ; 

transforming said inputted coordinate component x1 into X- and Z^^oordinates [X^, Z^] of a projective space 

where Z is a variable in the Z-coordinate; 

storing said coordinates [X^, Z^] of said projective space; 

transforming said coordinate component x2 into coordinates [Xg. Zg] of said projective space; 
storing said projective coordinate [X2, Z2]; 

transforming said coordinate component x4 into coordinates [X4, Z4] of said projective space; 
storing said projective coordinates [X4, Z4]; r-^ -r , rs^ -y ^ ^rv 7 1 

determining projective coordinates IX3, Z3] from said stored projective coordinates [X^ , Z^], [Xg. Zg] and [X4, Z4J, 
transforming said projective coordinates [X3, Z3] into said coordinate component x3; and 

outputting said coordinate component x3, 

whereby scalar multiplication of said point P1 (x1 , y1 ) is determined. 

2. A method of implementing an elliptic curve cryptography according to claim 1 , 

further comprising the steps of: 
generating a random number k; 
storing said generated random number k; 

transforming the x-coordinates into projective coordinates to thereby derive projective coordinates [k-^x. k] 
through arithmetic operation of individual coordinate components of said projective space and said stored 
random number k. 

3. A method of implementing an elliptic curve cryptography according to claim 1 , 

further comprising the steps of: 
generating a random number k; 
storing said generated random number k; 

transforming the x-coordinates into projective coordinates to thereby derive projective coordinates [kx. k] 
through arithmetic operation of individual coordinate components of said projective space and said stored 
random number k. 

4. A method of implementing an elliptic curve cryptography according to claim 1 , 
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wherein the step of determining said projective coordinates [X3, Z3] susceptible to the transformation into said 
coordinate component x3 from said stored projective coordinates [X^, Z^], [Xg, and [X4. Z4] includes the 
substeps of: 

computing B = X^Zg^ + XgZ^^; 
5 storing said computed B; 

deciding whether or not said stored B satisfies condition that 8 = 0; 

outputting a point at Infinity when 8 = 0 while arithmetically determining Z3 = Z48 unless 8 = 0; 
storing said determined Z3; and 

arithmetically determining X3 = X4B2 + X^X^-^^Z^Z^^ from said stored Z^. 

10 

5. A method of implementing an elliptic curve cryptography according to claim 1 . 

wherein the step of determining said projective coordinates [X3, Z3] susceptible to transformation Into said 
coordinate component x3 from said stored projective coordinates [X-,, Z^], [X2, Z2] and [X4, Z4] includes the 
75 substeps of: 

computing B = X^Zg + ^z^V* 
storing said computed B; 

deciding whether or not said stored B satisfies condition that B = 0; and 

outputting a point at Infinity when B = 0 while determining arithmetically Z3 = Z4B2 and X3 = X4B2 + XiX2ZiZ2Z4 
20 ' unless B = 0. 

6. An apparatus implementing an elliptic curve cryptography in a finite field of characteristic 2 (or an extension field 
of "2"), in which x and y are variables in an x-y coordinate system, a and b are parameters, said elliptic curve is 
given by y2 + xy = x^ + ax2 + b, comprising: 

25 

random number generating means (108) for generating a random number k; 

projective coordinate transformation means (906) receiving as inputs thereto coordinate xO of said finite field 
of characteristic 2 and said random number k, to thereby transform said coordinate xO into projective coordi- 
nates [kxO. k] = [X^, Zil; 

doubling arithmetic means (91 3) for arithmetically determining a double point from said projective coordinates 
[Xi.Zil; 

addition arithmetic means (9 10) tor determining an addition point from said projective coordinate [X-,, Z^] where 
Z is a variable in the Z-coordinate to thereby output said addition point; and 

scalar multiplication means (908) receiving information from said projective coordinate transformation means 
(906), said doubling arithmetic means (91 3) and said addition arithmetic means (910) to thereby perform scalar 
multiplication of the coordinate component xO. 

7. A recording medium storing a program for implementing an elliptic curve cryptography in a finite field of charac- 
teristic 2 (or an extension field of "2"), in which said elliptic curve is given by y^ + xy = x^ + ax^ + b and in which x 

40 and y are variables in an x-y coordinate system, a and b are parameters, addition of points P1 (x1 , y 1 ) and P2(x2, 

y2) on said elliptic curve composed of points defined by individual coordinate components is presumed to be 
represented by P3(x3, yS) with subtraction of said points PI (x1 , y1) and P2(x2, y2) being presumed to be repre- 
sented by P4(x4, y4), said program comprising the statements of: 

-^5 inputting an coordinate component x1 ; 

transforming said inputted coordinate component x1 into X- and Z-coordinates [X-, . Z^] in a projective space; 
storing said coordinates [X^, Z-,] of said projective space; 

transforming said coordinate component x2 into coordinates [X2, Z2] of said projective space; 
storing said projective coordinate [X2. Z2] where Z is a variable in the Z-coordinate; 
transforming said coordinate component x4 into coordinates [X4, Z4] of said projective space; 
storing said projective coordinates [X4, Z4]; 

determining projective coordinates [X3, Z3] from said stored projective coordinates [X^ , Z^], [X2, Z2] and [X4. Z4]; 
transforming said projective coordinates [X3, Z3) into said coordinate component x3; and 
outputting said coordinate component x3, 
55 whereby scalar multiplication of said point PI (x1 , y1 ) is determined. 

8. A recording medium storing a program for implementing an elliptic curve cryptography according to claim 7, 



19 

BNSDOCID; <EP 1014617A2J_> 



EP1 014 617 A2 



9. 



said program further comprising the statements of: 
generating a random number js; 

storing said generated random number k; ^..^^^ .^^.^^^ derive projective coordinates [k^x, k] 
random number k. 

A recording r^edium storing a program tor implementing an elliptic curve c^ptography according to claim 7. 

^o said program further comprising the statements of: 

generating a random number k; 

storing said generated random number k; th^rebv derive Dfoiective coordinates [kx. k] 

75 random number k. 

10. A recording medium storing a program for impiement.ng an e.lipt.c curve cryptography according to cla^n 7. 
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11. 

30 



Wherein the said statement oi detem,ining said projective coordinates [Xs^ Z3] f "^'^f 
rntoLaidcoordinatecomponentx3fromsaidstoredprojective coordinates!^ 

further the statements of: 
computing B = X-jZg^ + ^2^^^'* 
storing said computed B; 

deciding whether or not said stored B satisfies condition that B - 0 

outputting a point at infinity when B = 0 while determining arithmetically Z3 - Z4B unless B - 0. 
storina said determined Z3; and ^ ^ ^ * ^ -7 

determining arithmetically X3 = X,Z,^ . X,X,Z,^Z,^Z,^ trom sa.d stored Z,. 

A recording medium storing a program for implementing an elliptic curve cryptography according to claim 7. 

Wherein the statement ot determin,ng said proiective coordinates [X. Z3I --^P^'^^/^J^^^^,:^^^ 
said coordinate component x3 from said stored projective coordinates [X^. Z,], [X^, and [X4. ^4! 



further the statements of: 
computing B = X1Z2 + '>^2^V^ 
35 storing said computed B; 

deciding whether or not said stored B satisf.es condition that B - 0, and 
outputting a point at infinity when B = 0 while determining arithmetically Z3 = Z4B and X3 
: X4B2 + X1X2Z1Z2Z4 unless B = 0 



40 12. 



sented by P3(x3, y3) with subtraction of said points P1(xl . yi ) ana r^i^x^, y^} y k 
45 by P4(x4, y4), said program comprising the statements of: 

'::^:^^'r^,tSZ'^^^^ ^,0 X. a™. Z^rd.n«» ,X,. Z,l ,n . P^JC*. space; 

rZiSgrp|rc*:c^:;°s,?:z^;,on,=a«^ 

SnIS said p.oisc.iv. coordinates |X„ Z,l into said cooniinat. oompcn.nt x3. and 
outDUtting said coordinate component x3. 

whereby scalar multiplication of said point P1 (x1 , y 1 ) is determined. 
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